--- - name: Validate route termination configuration fail: msg: > When 'openshift_hosted_registry_routetermination' is 'reencrypt', you must provide certificate files with 'openshift_hosted_registry_routecertificates' when: ('certfile' not in openshift_hosted_registry_routecertificates) or ('keyfile' not in openshift_hosted_registry_routecertificates) or ('cafile' not in openshift_hosted_registry_routecertificates) - name: Configure self-signed certificate file paths set_fact: docker_registry_cert_path: "{{ openshift_master_config_dir }}/registry.crt" docker_registry_key_path: "{{ openshift_master_config_dir }}/registry.key" docker_registry_cacert_path: "{{ openshift_master_config_dir }}/ca.crt" docker_registry_self_signed: true - name: Retrieve provided certificate files copy: backup: True dest: "{{ openshift_master_config_dir }}/named_certificates/{{ item.value | basename }}" src: "{{ item.value }}" when: item.key in ['certfile', 'keyfile', 'cafile'] and item.value with_dict: "{{ openshift_hosted_registry_routecertificates }}" # Encrypt with the provided certificate and provide the dest_cacert for the # self-signed certificate at the endpoint - name: Configure a reencrypt route for docker-registry oc_route: name: docker-registry namespace: "{{ openshift_hosted_registry_namespace }}" service_name: docker-registry tls_termination: "{{ openshift_hosted_registry_routetermination }}" host: "{{ openshift_hosted_registry_routehost | default(omit, true) }}" cert_path: "{{ openshift_master_config_dir }}/named_certificates/{{ openshift_hosted_registry_routecertificates['certfile'] | basename }}" key_path: "{{ openshift_master_config_dir }}/named_certificates/{{ openshift_hosted_registry_routecertificates['keyfile'] | basename }}" cacert_path: "{{ openshift_master_config_dir }}/named_certificates/{{ openshift_hosted_registry_routecertificates['cafile'] | basename }}" dest_cacert_path: "{{ openshift_master_config_dir }}/ca.crt"